Risk and Opportunity Register - Master Sheet 


Date raised Opportunity/risk description (opportunities Risk Appetite |Risk appetite} IRSP Goals Current Current | Current Proximity | Strategic Target Target 
shaded in blue) area Probability | Impact | Overall Probability Overall 
priority Priority 


1 01/04/17 R4 Capacity and Capability: (Cause) Risk that Infrastructure Open All goals 5 4 Same <> | Medium | Corporate 3 
increasing demand, public and stakeholder and resources term 
expectations, and/or additional unplanned 
work and/or reduced availability of staff 
results in (Threat) key resources being 
overstretched and having insufficient capacity, 
capability, knowledge and/or skills to deliver 
all business plan requirements, (Impact) 
resulting in business operational issues and 
pinch points, possible failure to deliver 
regulatory priority activities and impacting 
upon the ICO’s ability to deliver all of its 
intended objectives and outcomes. 


2 30/04/19 R73 |Compliance culture: (Cause) Risk that as Organisational Cautious All goals 4 Same <> | Medium | Corporate 
demand and capacity increase and/or changes,} controls and term 
the ICO’s infrastructure and accountability compliance 
culture is unable to (Threat) keep up with the 
pace of change to comply with legal and other 
obligations expected of a modern regulator 
(Impact) impacting upon its ability to maintain 
and increase public trust and be an effective 
and knowledgeable regulator. 
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3 28/06/17 R3 Regulatory Cautious 
enforcement 
. 


Financial Resilience: (Cause) Risk that Infrastructure 
sensitivities in the income growth forecast and | and resources 
new territories of expenditure create 

inaccurate financial forecasting and planning 

assumptions (Threat) leading to insufficient 

funding and financial stress (Impact) impeding 

the ICO’s ability to meet its statutory 

requirements, and full delivery of all of its 

intended IRSP goals and outcomes. 


30/07/18 
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shaded in blue) area 


5 06/04/20 R84 |Major Incident: (Cause) Risk that an internal or] Infrastructure 
external major incident occurs (e.g. extreme and resources 
weather, fire incident, chemical incident, 
pandemic (e.g. Covid-19), or deliberate 
incidents such as terrorist acts) which renders 
the ICO unable to utilise part or all of its 
resources and infrastructure (such as staff, 
buildings, IT systems etc) such that (Threat) the 
ICO is unable to deliver some, or in extreme 
cases all of its regulation services, (Impact) 
increasing public information rights risk for a 
period of time and resulting in a reduced 
achievement of the IRSP Goals over the longer 
period. 


06/04/20 R85 |Managing ICO Reputation: (C) Risk that Reputational 
decisions are taken without giving due 
consideration to the strategic reputational 
impact on the ICO (T) such that action is not 
taken at the right time to proactively and 
effectively manage the reputation of the ICO 
(I) impacting upon the ICO’s ability to increase 
public trust and confidence, provide excellent 
public service and to demonstrate that it is an 
effective and knowledgeable regulator. 
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i 
T 


na 


30/06/17 


08/12/20 


Medium | Corporate 
term 


Regulatory Action: (Cause) We do not Regulatory Cautious 1,2,5,6 
effectively take account of pertinent aspects of} enforcement 
a case, have flawed or ineffective processes 

and/or decision-making that mean (threat) we 

take disproportionate, inappropriate, or no 

action against an organisation (impact) which 

allows poor information rights practices to 

continue and/or proliferate and damages the 

ICO’s credibility as a regulator to enforce the 

laws, increase the public’s trust and confidence 

in how data is used, and maintain and develop 

influence within the information rights 

regulatory community. 


| 


R2 Organisational All goals 
change and 
development 
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3 4 


27/09/18 R10 |Statutory Codes: (Cause) Risk that significantly Regulatory Open All goals Same <> | Medium 
complex and contentious subject matter (e.g. guidance and term 
economic impact), alongside competing strategy 
stakeholder audience expectations slows the 
drafting and implementation of Statutory 
Codes of Practice such that (Threat) the ICO is 
unable to deliver the Codes within required 
timescales and to the desired quality through 
the eyes of external stakeholders (Impact) 
impacting negatively on the ICO’s reputation 
and relevance as a regulator to deliver across 
all stakeholders, decreasing its public trust, 
influence and effectiveness. 


10 27/11/18 R61 _~—_‘|Litigation Resource: (Cause) Risk that multiple | Infrastructure Open All goals 3 4 Same <> | Medium 
or a single significant legal challenge or trend and resources term 
emerges (Threat) diverting significant financial 
and non-financial resources into possibly 
lengthy legal disputes (Impact) impacting upon 
the ICO’s ability to legally defend itself which 
could have a domino effect on its decision 
making, its financial resilience, its reputation as 
an effective regulator and diluting its 
operational ability to achieve all of its IRSP 
goals. 


11 07/07/20 R88 |Future role and structure of the ICO: (Cause) Organisational Open All goals New Medium 
Government led reviews of the role of the change and term 
future data protection regulatory framework, development 
and of the ICO’s role, governance and remit, or 
internally-driven organisational restructures, 

(Threat) lead to organisational and stakeholder 
uncertainty or staff change fatigue (Impact) 
impeding the ability of the ICO to regulate with 
maximum efficiency and effectiveness and 
deliver all of its strategic objectives and 
priorities 
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12 06/04/20 R83 |Staff Wellbeing and Welfare: (Cause) Risk that | Organisational 
the ongoing pandemic and lockdown change and 
arrangements have a detrimental impact upon | development 
the physical, emotional and mental wellbeing 
of staff such that (threat) capacity may be 
reduced, as staff are less engaged or able to 
perform at their best at a time of increasing 
demand resulting in (impact) possible business 
operational issues and pinch points with 
possible failure to deliver priority activities to 
expected levels. 

13 08/03/19 R72 _|SMEs: (Cause) Risk that the ICO does not Regulatory 
sufficiently recognise and act on the needs of guidance and 
small organisations such that the ICO (Threat) strategy 
does not provide SMEs with value for money 
relevant services resulting in (impact) low 
levels or awareness, poor trust and 
information rights practices from SMEs 
impacting upon the ICO’s delivery of the IRSP 
goals around increasing public trust and 
confidence, improving standards of practice 
and being an effective regulator. 


14 15/06/20 R87 |international position: (Cause) The uncertain Reputational 
global context in which ICO operates (in 
particular the UK’s future global relationships 
with and outside the EU and implications of 
the Covid19 pandemic) lead to (threat) the ICO 
failing to develop and maintain effective 
international relationships or effectively 
deliver aspects of its domestic regulatory role, 
thereby reducing opportunities to develop 
global collaborative DP approaches on policy, 
tech and interoperability and (Impact) 
meaning the ICO is unable to maintain and 
develop influence within the global 
information rights regulatory community, 
increase public trust and confidence and 
improve standards of information rights. 
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16 14/09/20 R89  |Compensation: (Cause) The ICO is unable to Reputational Cautious 1,4,5,6 New Medium | Corporate 
award compensation to complainants unlike term 
other ombudsman services. As a consequence, 
(Threat) consumers go to an ombudsman 
scheme where compensation can be awarded, 
(impact) so the ICO is not seen as a relevant 
regulator and fails to capture data about these 
breaches. 
47 08/12/20 R91 |Targeted Regulatory Activity: (Cause) we do Regulatory Cautious All goals New Long term | Corporate 
not have effective processes and practices in assessment 
place to take a robust risk-based prioritisation 
approach to our regulatory work (threat) so we 
do not target our work to the most important 
and impactful areas of harm (impact) meaning 
that we miss opportunities to correct poor 
information rights practices and our regulatory 
work does not effectively align to deliver all of 
the IRSP goals. 


48 02/09/19 R81  |Management Board Resilience: (cause) Staff recruitment, Averse All goals Same <> | Medium | Corporate 
Management Board and Executive Team retention and term 
capacity and resilience (threat) may not be development 
sufficient to retain clarity of leadership and 
direction during a critical period of change to 
the regulatory landscape (impact) resulting in 
delay to the achievement of the IRSP goals and 
operational, regulatory and organisational 
priorities 
49 22/09/18 R26 |Improving Productivity: (Cause) Risk that Organisational Open All goals Down J | Medium | Corporate 
growth in the ICO’s investment in change and term 
infrastructure, people and process resources development 
(Threat) is not effectively utilised to reduce 
contradictory and duplication of efforts, 
minimise delivery gaps, exploit new business 
models and maximise best use of ICO 
resources such that (Impact) whilst the ICO 
grows it does not improve efficiency and 
productivity and is no better placed to achieve 
the ICO’s IRSP goals and corporate outcomes. 
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Opportunity/risk description (opportunities 
shaded in blue) 


Risk Appetite |Risk appetite} IRSP Goals Current Current | Current Proximity | Strategic Target 
area Probability | Impact | Overall Probability 
priority Priority 


E | . a i 
term 


Cyber Security: (Cause) Risk that although the All goals ie Same <> Longterm Corporate 


malicious or inadvertent from within the 
organisation or from external attacks by cyber- 
criminals. (Impact) This could result in many 
negative impacts, such as distress to 
individuals, legal, financial and serious 
reputational damage to the ICO, possible 
penetration and crippling of the ICO’s IT 
systems preventing it from delivering its 
regulatory functions and IRSP goals 


ICO is continuously vigilant with its cyber 
security controls that as the ICO’s profile 
increases and it innovates with new 

technology systems, (Threat) it becomes 

increasingly at risk of a security breach, either 
71 06/04/20 R86 Political and Economic Environment: (Cause) Regulatory Open All goals New Longterm Corporate 
Risk that the ICO doesn't have the plans or the | guidance and 
ability to respond to changes in the economic strategy 
climate, government policy or to government 
attitudes and reviews, meaning that the ICO 


doesn't (Threat) adapt and flex quickly enough 
or in the right way to meet changing 
stakeholder views and needs (Impact) 
preventing the achievement of the IRSP goal to 
be an effective and efficient regulator. 
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